type.inbound
and any(body.links,
(
.href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
)
// remove free_file_hosts used to host images as links
and not any($file_types_images,
strings.iends_with(..href_url.url, strings.concat('.', .))
)
)
and sender.email.domain.tld in $suspicious_tlds
and not sender.email.domain.root_domain in ("notion.so", "cribl.cloud")
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Playground
Test against your own EMLs or sample data.